Strategies & Techniques for Simplifying and

Securing Your DNS, DHCP, & IP Infrastructure

Securing Your DNS Infrastructure

Presented By
Alex Drescher, Director, Software Product Planning
Tim Rooney, Director, Software Product Management
 INS Background
‹ Vendor-independent, global provider of IT
infrastructure consulting services and software
„ 13 years of business-centric technology consulting

„ Scalable software solutions for complex IP networks

„ 30+ offices across North America, Europe & SE Asia

‹ Focus on Fortune 1000 enterprises

and major service providers
„ Experience with >75% of Fortune 500

„ Conducting business with >50% of the Fortune 100

„ Conducting business with all major voice and data SPs

2 The knowledge behind the network.® January 2005

 You Mean My DNS Isn’t Secure?

3 The knowledge behind the network.® January 2005

 Importance of DNS Security
‹ IP applications usability
‹ DNS ubiquity
‹ DNS attack impacts
„ Attacker access to host and IP address
information on your network
„ Attacker can modify zone data, pointing
web or email servers elsewhere
„ Denial of service attacks can prevent web
server and email access

4 The knowledge behind the network.® January 2005

 Man in the Middle or Spoofing Attacks
‹ Attacker name server “intercepts” DNS query
‹ Attacker name server responds with a misleading response
„ Packet Interception
„ ID Guessing – ID field 16 bits + 16 bit server UDP port – 232
possibilities
‹ Resolver caches this false information

Intended
Name
Server
?
What is the address for www.ins.com?
w . in s.com
w
es s fo r w
dd r
t i s th e a
Wha
The address is 168.77.23.15
The Attacker
addr
e ss i
s 16 Name
8.77
.2 3.15 Server

5 The knowledge behind the network.® January 2005

 DNS Spoofing/Cache Poisoning
‹ Resolver queries a local DNS server
‹ The local DNS server issues recursive query to obtain the
information if not authoritative or cached
‹ Attacker spoofs intended name server response
‹ Local DNS server caches this information
‹ Resolver caches this information

Intended
Name
Server

.ins. com?
What is the address for www.ins.com? ww
e ss fo r w
dd r
ow th e a
uk n
Do yo
The address is 168.77.23.15

Sure Attacker
it’ s 16
8.77 Name
.23.1
5 Server

6 The knowledge behind the network.® January 2005

 Name Chaining
‹ Attacker’s response includes one or more RRs with
DNS names in their RDATA
‹ Attacker introduces DNS names or the attacker’s
choosing
‹ Attacker can provoke a query for such names
„ E.g., graphic link in email – victim’s email program resolves
link
Intended
Name
Server
?
What is the address for www.ins.com?
w . in s.com
w
es s fo r w
dd r
t i s th e a
Wha
The address is 198.134.150.150
The Attacker
addr
And e ss i
h ere s 19 Name
is so 8.13
me a 4.15 Server
0.15
dd’l 0
info

7 The knowledge behind the network.® January 2005

 DNS Buffer Overflow
‹ “Smashing the Stack”
‹ Can result in attacker gaining root
user access to the name server
‹ Attacker can obtain zone
information from the master server
to identify hosts and IP addresses
for subsequent attack
‹ Attacker can also modify resource
records to hijack certain
applications or resources
‹ Attacker can also, as a root user,
access and modify other
applications on that server

8 The knowledge behind the network.® January 2005

 Client Resolver Configuration Attack
‹ Attacker modifies the DNS server IP
addresses configured on the client and/or
hosts.txt file
„ Web plug-in
„ DHCP or PPP configuration
‹ Client issues DNS queries to the attacker’s
DNS servers
‹ Attack can arise in the form of trojan horse
web download
Control Channel Access
‹ Attacker utilizes ndc or rndc commands to stop or
start the name server, reload a zone and other critical
functions

9 The knowledge behind the network.® January 2005

 Vulnerability Summary
‹ DNS Server Integrity
„ Buffer overflows
„ OS vulnerabilities
‹ DNS Service Availability
„ Name server deployment
„ Denial of Service
‹ DNS Information Integrity
„ Footprinting or viewing zone data
„ Man in the middle, spoofing, cache poisoning, name chaining
„ Client resolver attack
‹ DNS Communications Integrity
„ Communications interception, disruption, and unauthorized updates
„ Control Channel access

10 The knowledge behind the network.® January 2005

 Securing DNS Server Integrity
‹ Run DNS on dedicated hardware
„ If attacker gains access, limits exposure to other apps
„ Appliance or general purpose hardware
‹ Run latest version of DNS software
„ Reduce buffer overflow and other vulnerabilities
‹ Jailed environment – chroot (Unix/Linux)
„ If attacker gains access, limits root and file system
access
„ named –u user –g group –t
chroot_directory
„ chroot_subdirectory below file system root
‹ Hardened OS and/or OS platform diversity
„ Run only necessary OS services
„ Restrict open TCP/UDP ports
„ Limit users and permissions as much as possible

11 The knowledge behind the network.® January 2005

 Securing DNS Service Availability
‹ Deploy multiple authoritative
servers for high availability
‹ Deploy servers on multiple
networks and/or ISPs
‹ Deploy external name space on
external servers separate from
internal servers
„ Minimize open ports on external
servers in particular
„ Minimize open ports on internal
gateway between internal and external
name servers
„ Deploy appropriate ACLs and security
options on all servers
„ If multiple servers not possible
implement BIND 9 Views
‹ Consider running internal roots
„ Internal servers hints file modification

12 The knowledge behind the network.® January 2005

 Securing DNS Information Integrity
‹ Maintain currency of DNS server releases
‹ Configure logging on each server and monitor for
exceptions
‹ Lock down controls on access to DNS information
„ Implement ACLs for query, transfer, update, notify
‹ “Hide” your master DNS servers
‹ Keep up to latest releases of OS/IP stack (resolver)
to minimize resolver vulnerabilities

13 The knowledge behind the network.® January 2005

 Securing DNS Communications Integrity
‹ Restrict zone transfers and updates via ACLs
„ allow-transfer, allow-update, allow-notify
‹ Digitally sign transfers and updates
„ TSIG, GSS-TSIG
‹ Control channel access control
„ controls statement
‹ Disallow recursive queries on “delegation
point” servers
„ Resolvers should not “point” to these servers
‹ Separate network for zone transfers and control
channels
‹ Secure the management interface to the server
„ User definable port
„ Data encryption

14 The knowledge behind the network.® January 2005

 DNS Communications Integrity
Example TSIG Configuration

1. Create pairwise key

2. Deploy the key to each server

15 The knowledge behind the network.® January 2005

 DNS Communications Integrity
Example TSIG Configuration

3. Inform the servers of the key

4. Instruct the servers to apply the key

5. Apply on ACLs as well

16 The knowledge behind the network.® January 2005

 Summary of Major DNS Options Impacting Security
‹ ACLs
„ acl “aclname” { addresses }
z allow-transfer z allow-recursion
z allow-notify z allow-query
z allow-update z blackhole
‹ DNS views – multiple servers on one server
„ view “viewname” { options and zone blocks };
‹ IP address/port specifications
„ query-source address addr port port; recursive
query source
„ notify-source IP-addr [port port];
„ listen-on { IP-addr port port; ... ; };
„ use-id-pool yes; randomize query message IDs –
standard for BIND 9

17 The knowledge behind the network.® January 2005

 Summary of Major DNS Options Impacting Security
‹ Logging
„ logging { channel channel-name channel-specs };
„ category name { channel-name ; ... ; };
‹ Control channel access
„ controls ( inet * allow { ACL; } keys {“rndc-key”;};
„ rndc.conf
‹ Miscellaneous
„ recursion no;
„ version “faux version text”
„ pidfile “pathname to named.pid”
„ directory “pathname to zone data files”
„ fetch-glue no Standard on BIND 9 (no)

18 The knowledge behind the network.® January 2005

 What About DNSSEC?
‹ Services Provided
„ Provides integrity and origin authentication to resolvers via
digital signatures
„ Authenticated public key process for accessing signed zones
„ Security of DNS data (not communications)
‹ New Resource Record Types
„ RRSIG – stores the zone’s digital signature(s)
„ DNSKEY – stores the zone’s public key
„ DS – stores the public key(s) used in the process of
determining a delegated zone’s key(s)
„ NSEC – canonically links existing names in a zone to enable
a security aware resolver to authenticate a negative reply for
name or type non-existence

19 The knowledge behind the network.® January 2005

 DNSSEC Pros and Cons
‹ Pros
„ End to end integrity checks
„ Better protects resolver
„ Provides protection of DNS information
integrity
z Origin authentication

z Information integrity protection

‹ Cons
„ Not widely implemented or deployed as yet
z Intervening non-security-aware devices

such as NATs, DNS proxies or recursive

name servers may invalidate security
„ Resolver performance
„ Key rollover

20 The knowledge behind the network.® January 2005

 Microsoft Recommendations for DNS Security
‹ Deploy external name space on external servers
separate from internal servers
‹ Deploy servers on multiple networks and/or ISPs
‹ Encrypt zone replication traffic
‹ Configure firewalls to enforce packet filtering for UDP
and TCP port 53.
‹ Restrict which DNS servers are allowed to initiate a
zone transfer for each zone
‹ Prevent unauthorized access to your servers
„ Allow only secure dynamic update for your zones
„ Limit the list of DNS servers that are allowed to obtain a zone
transfer.
‹ Monitor the DNS logs
‹ Implement Active Directory™ for internal servers
„ Integrated zones with secure dynamic update.

21 The knowledge behind the network.® January 2005

 INS IPControl Software
Simplifying DNS Security Configuration

‹ Graphical web interface

‹ DNS option dictionaries

‹ Address match lists facilitate ACL

creation
‹ Auto TSIG key generation

‹ Pairwise server TSIG assignment

‹ Simple internal root server

designation and hints file customization
‹ Easy definition of logging channels and
association with categories
‹ Auto rndc.conf creation

‹ Much more…

Contact us at diamondip@ins.com or +1-800-390-6295

22 The knowledge behind the network.® January 2005
 Resources
‹ White Papers
http://www.ins.com/knowledge/whitepapers.asp
„ Best Practices for Next Generation IP Address Management
„ INS IPControl™ Return on Investment Analysis
‹ NetKnowledge Webinars
http://www.ins.com/knowledge/webseminar_archives.asp
„ IP Management Best Practices – Facing the New Reality
‹ Websites
„ ISC BIND Site - www.isc.org/sw/bind
„ CERT® – www.cert.org (advisories) or www.us-cert.gov
„ DNSSEC – www.dnssec.net
„ Microsoft DNS Resources –
www.microsoft.com/windowsserversystem/default.mspx
‹ IETF Working Groups
„ DNS Extensions - www.ietf.org/html.charters/dnsext-charter.html
„ DNS Operations - www.ietf.org/html.charters/dnsop-charter.html

23 The knowledge behind the network.® January 2005

 Question and Answer
‹ Tell us what you think
about this webinar
http://www.ins.com/knowledge/surveys/feedback.asp

‹ Upcoming webinars
„ Understanding End-to-End Performance to Optimize
Business Solutions, Feb. 16th
„ Adaptable IP Inventory, Feb. 24th

‹ For more information

„ Call 1-888-767-2988 in the U.S., 44 (0) 1628 503000 in
Europe, or 1-408-330-2700 worldwide

24 The knowledge behind the network.® January 2005

 Glossary
‹ ACL – Access Control List
‹ BIND – Berkeley Internet Name Domain
‹ DMZ – Demilitarized Zone
‹ DNS – Domain Name System
‹ DNSSEC – DNS Security Extensions
‹ GSS-TSIG – Generic Security Specification – Transaction
Signature
‹ NAT – Network Address Translation
‹ NDC – Name Daemon Controller
‹ PPP – Point-to-Point Protocol
‹ RNDC – Remote Name Daemon Controller
‹ RDATA – Record Data field within each resource record
‹ RR – Resource Record
‹ TCP – Transmission Control Protocol
‹ TSIG – Transaction Signature
‹ UDP – User Data Protocol

25 The knowledge behind the network.® January 2005